Saturday, 8 December 2012

Large Scale Attack on mTAN

The mobile variant of the Zeus malware has stolen big amounts of money. This has been expected. The banks must understand that in a world where non-experts use computers they have to offer good solutions, not the cheapest.

Thursday, 13 September 2012

Severe Security Flaw in ATMs

Ross Anderson has published a severe security flaw in some ATM machines. The nonce sent from the ATM to the card in the process of authenticating the card is predictable. Therefor, an attacker can do the following: First, identify a vulnerable ATM and predict such a nonce. Second, send the nonce to the card of the victim using a fake POS terminal. Record the authentication answer from the card. Program a chip card with that answer. Third, replay that answer to the vulnerable ATM.
All kinds of details are given in the linked publication. It seems that this vulnerability has already been used in real frauds.
Such severe implementation issues cast big doubts on the whole EMV scheme. This could only happen because the certification process for the ATMs did not ensure the unpredictability of the nonces, where the security of the protocol depends on this unpredictability.

Tuesday, 7 August 2012

Online Payment Processors Don't Count Retries

A german TV station wanted to find out what happens if they enter random CVV numbers into the checkout page of e-commerce sites. Five out of six banks allowed them to try out CVV numbers until they found the right one. As this is a very very old security issue I am really surprised that this is possible. This becomes really unfortunate if this attack is combined with the new NFC credit cards where everyone can read the card holder data but not the CVV over NFC. Not using a retry counter for a NFC credit card is a really bad idea.

Sunday, 15 July 2012

Attack against EMV Terminals

The German security company SRLabs claims that that they found several vulnerabilities in popular EMV terminals, including a buffer overrun and an open JTAG. If someone manipulates the user interface of the terminal it is quite easy to steal the PIN. Such a manipulation might happen by attacking a legitimate terminal or, even more easier, by presenting a user a fake terminal. The real issue is that the PIN is used as an authentication token wherever it is input. It would be much more safer to have a personal authentication device, like a cellphone. The users need to authenticate to their device with their preferred method, and the device would authenticate to the rest of the world with a cryptographic algorithm. This assumes that the users' device is secure, bur in contrast to the present situation the user can ensure the security of a personal device.